Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix FormHelper::postLink() not working when SecurityComponent is enab…
…led.

The action attribute value was not being included in the generated hash,
so postLink() forms never worked properly.

Fixes #3418
  • Loading branch information
markstory committed Apr 29, 2014
1 parent 1a39917 commit e1057e3
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
34 changes: 34 additions & 0 deletions lib/Cake/Test/Case/View/Helper/FormHelperTest.php
Expand Up @@ -7616,6 +7616,40 @@ public function testPostLink() {
));
}

/**
* Test that security hashes for postLink include the url.
*
* @return void
*/
public function testPostLinkSecurityHash() {
$hash = Security::hash(
'/posts/delete/1' .
serialize(array()) .
'' .
Configure::read('Security.salt')
);
$hash .= '%3A';
$this->Form->request->params['_Token']['key'] = 'test';

$result = $this->Form->postLink('Delete', '/posts/delete/1');
$this->assertTags($result, array(
'form' => array(
'method' => 'post', 'action' => '/posts/delete/1',
'name', 'id', 'style' => 'display:none;'
),
array('input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST')),
array('input' => array('type' => 'hidden', 'name' => 'data[_Token][key]', 'value' => 'test', 'id')),
'div' => array('style' => 'display:none;'),
array('input' => array('type' => 'hidden', 'name' => 'data[_Token][fields]', 'value' => $hash, 'id')),
array('input' => array('type' => 'hidden', 'name' => 'data[_Token][unlocked]', 'value' => '', 'id')),
'/div',
'/form',
'a' => array('href' => '#', 'onclick' => 'preg:/document\.post_\w+\.submit\(\); event\.returnValue = false; return false;/'),
'Delete',
'/a'
));
}

/**
* Test using postLink with N dimensional data.
*
Expand Down
2 changes: 2 additions & 0 deletions lib/Cake/View/Helper/FormHelper.php
Expand Up @@ -1790,6 +1790,8 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
unset($options['target']);
}

$this->_lastAction = $formUrl;

$out = $this->Html->useTag('form', $formUrl, $formOptions);
$out .= $this->Html->useTag('hidden', '_method', array(
'value' => $requestMethod
Expand Down

7 comments on commit e1057e3

@mirceaagr
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated to 2.5 and get this error on more than one of my websites.. including a small app developed with the shell
CORE/lib/Cake/View/Helper/FormHelper.php Unsuported Operand
Line: 1802

@markstory
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes the signature for postLink() was modified slightly.

@henriquebremenkanp
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not change that line from $options += array('inline' => true, 'block' => null); to $options = (array)$options + array('inline' => true, 'block' => null); and make it backwards compatible for easier upgrades?

@dereuromark
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Hikkijp That is exactly what I did yesterday - see 8af76a3

@henriquebremenkanp
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dereuromark Sorry for that! I don't know how to use git very well, I just got into the same error and wanted to help. Thank you for the answer and the patch.

@dereuromark
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem. Just note that it is always good to check the current master branch for recent fixes.

@dereuromark
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not the commit that broke it @mirceaagr - This was: d647fe8
6 months ago and no one noticed until 2 days ago .. :)

Please sign in to comment.